CVE-2023-4863: Just How Deep Does the Rabbit Hole Go?
Vulnerability: Heap Buffer Overflow in libwebp
CVE ID: CVE-2023-4863
CVSS Score: 8.8 (Though a different CVE merged into this one was scored 10.0. The 8.8 score will likely be updated given the scope and risk)
TuxCare’s Extended LifeCycle Support status can be found in the TuxCare’s CVE tracker here.
The vulnerability germinates from the way libwebp navigates through Huffman encoding tables. Huffman encoding tables are the “dictionary” that tells a program how the image is stored in the file. The concept of a Huffman table is used in encoding of different types of data, not just images and not just the webp format, and is a way of making elements of the image data use less bits when stored if they are very common, and making elements that are less common use longer sequences of bits. This leads to an overall smaller file size. This information is stored inside each webp file.
A specially crafted image can instigate an out-of-bounds buffer write with attacker-controlled content. This is a zero-click attack, enabling a remote attacker to potentially commandeer the system with no interaction from the user. Initially perceived as a Google Chrome dilemma, the revelation that the bug existed in libwebp has unveiled that the vulnerability could potentially afflict any application capable of loading webp images, given they utilize libwebp internally. This includes, but is not limited to, Firefox, Thunderbird, FFMpeg, social platform messengers, IOS and Android devices.
CISA identifies this vulnerability as being currently exploited in the wild. This means there is clear evidence of cybersecurity incidents directly connected to exploits of such a vulnerability. Given its high profile and the staggering amount of affected third party software, and how much public research has been made available, exploit code is also easily accessible to interested parties.
Recent events involving Pegasus spyware have illustrated that this vulnerability is not a mere hypothetical threat but a tangible risk affecting global cybersecurity.
Analyzing the Far-Reaching Implications of CVE-2023-4863
The discovery of a new vulnerability is akin to a thrilling yet perilous adventure into the unknown. CVE-2023-4863 is no exception. The vulnerability, which revolves around how libwebp handles Huffman encoding tables, has brought forth a cascade of potential security breaches across numerous applications and platforms. The issue is not isolated to a single application or operating system, making it a formidable threat in the vast digital ocean.
This vulnerability was discovered in the midst of a global cybersecurity crisis involving the notorious Pegasus spyware. On September 12, 2023, urgent patches were released for two Apple issues and a Chrome update to address actively exploited vulnerabilities. Discovered by CitizenLab while investigating an individual’s device from a Washington DC-based organization, two vulnerabilities (including CVE-2023-4863 and an IOS specific CVE-2023-41064) were found to be based on a heap buffer overflow in libwebp.
It was discovered that the issue lay within the “lossless compression” support for WebP, more commonly known as VP8L. It was also very difficult to understand how to exploit this vulnerability. The very large number of combinations of possible content that can exist in an image, and the very small and specific subset of those same images that could trigger this behavior was very hard to identify – in fact, it is almost impossible to guarantee that no other such edge cases exist. This suggests, but has not been confirmed, that the effort put into finding such a vulnerability was substantial and not just your run-of-the-mill security researcher finding it by chance.
There are substantial monetary rewards for this type of vulnerability. For example, very recently there was an offering of a staggering $20 million for fully functional zero-click exploits for iOS. This seems to justify the effort put into looking for such issues in the first place.
The criticality of CVE-2023-4863 cannot be overstated. Google and Apple have rolled out updates to patch this vulnerability, but libwebp is used in many other applications. The Android update, especially, may take a significant amount of time to permeate through all makes and models, due to the patch gap present in the Android ecosystem.
Pegasus spyware, marketed by the NSO group, is notoriously renowned for its insidious and pervasive nature. It has been instrumental in numerous surveillance campaigns. The spyware, which steals emails, text messages, photos, videos, locations, passwords, and social media activity without consent or visibility, has been around for years, and its existence should not be overlooked. It relies on highly advanced vulnerabilities, like this one, to deploy to unsuspecting targets’ equipment and systems. The fact that libwebp’s presence is not restricted to mobile devices only makes for a (much) larger attack surface.
Simply visiting a website containing a malicious image, receiving an image through instant messaging, or opening such content on an image viewer where the issue has not been addressed is enough for an attacker to deploy its payload. It will inevitably be used for other types of malware.
You can check an in-depth discussion of this specific vulnerability and some of its impacts in this Enterprise Linux Security podcast episode.
Given the risk, prevalence and ease-of-attack, TuxCare strongly recommends applying patches for all systems immediately as they become available.
You can follow the availability of patches for systems covered under TuxCare’s Extended Lifecycle Support service here.
Additionally, for other operating systems and devices, patching should be done at the earliest possible opportunity.